How to Secure Android & iOS Apps in Bamboo CI/CD

This Knowledge Base article provides instructions for using the Appdome Build2Secure plugin for Atlassian Bamboo CI/CD pipelines. Appdome’s Build2Secure plugin for Atlassian Bamboo is an out-of-the-box Atlassian Bamboo CI/CD integration, making it easy for mobile developers to automate the building, signing, and certification of security, anti-fraud, and other protections in Android and iOS apps in Atlassian Bamboo CI/CD pipelines. No code and no SDKs are required.

Appdome’s Build2Secure plugin for Atlassian Bamboo aims to streamline and accelerate cyber and anti-fraud delivery in CI/CD pipelines.

The Build2Secure plugin for Atlassian Bamboo automates three crucial steps in quickly delivering more secure mobile applications to your users:

(1) Building app-level protections into mobile apps.

(2) Code-signing the protected mobile app.

(3) Certifying the security of each protected mobile app.

The Appdome Build2Secure plugin for Atlassian Bamboo enables the delivery of Certified Secure™ mobile app security, anti-fraud, anti-malware, mobile anti-bot, among other cyber defense updates to mobile apps via the Appdome Cyber Defense Automation Platform. Use this plugin as a stand-alone DevSecOps integration or in combination with other DevSecOps integrations in your CI/CD pipeline.

For more general information on Atlassian Bamboo, refer to the Atlassian Bamboo CI/CD documentation available on the Atlassian website.

Here are the step-by-step instructions on using the Appdome Build2Secure plugin for Atlassian Bamboo.

Prerequisites for Secure Android & iOS Apps in Bamboo CI/CD

• • An Appdome SRM account
  • Appdome API token
  • Fusion-Set ID
  • Atlassian Bamboo data center
    If you don’t have Atlassian Bamboo installed, refer to this guide to set up your Bamboo CI/CD

Step 1: Getting Started with Build2Secure Plugin for Bamboo

Atlassian Bamboo automates building and testing of code projects, supporting all major languages and project types. It combines continuous integration, continuous delivery, and continuous testing to build, test, and deliver your code to any destination.

The Appdome Build2Secure plugin takes the unprotected application file (apk, aab or ipa), rebuilds the file, and signs it by using the On-Appdome platform, based on the selected fusion set and signature method. This task can be performed either as part of an existing plan or as a new plan where you must provide the application file as part of the input for this task.

Step 2: Installing the Build2Secure Plugin for Bamboo

• Log into your Bamboo server with an admin account
• Navigate to “Manage apps” in the administration dropdown.

• Search for and install the Appdome Bamboo plugin from the marketplace.

Step 3: Setting up your Bamboo CI/CD Project

• If you already have a Bamboo project, skip to step 4.
• If you don’t have a Bamboo project, start by creating one: Click “Create” in the top navigation bar, then select “Create project” and complete the required fields.

• Click Save.

Step 4: Creating a Plan

•  If you already have a Bamboo plan, proceed to Step 5.
• If you don’t have a Bamboo plan, start by creating one:
  • Click “Create” in the navigation bar
  • Select “Create plan” from the dropdown menu.
  • Configure the plan that you want to create.

• Optionally, you can link a repository to this plan.

• You can choose to add tasks to your plan now or save the plan and add tasks at a later stage (refer to Step 5 for adding tasks).

Step 5: Adding Appdome’s Build2Secure task to your plan

Now that you have a plan for your Bamboo project, it’s time to configure it and integrate Appdome Build2Secure.

Go to the “Actions” dropdown on your plan dashboard and select “Configure plan”.

All plans are created with a default job, which we’ll use for this example, but you can configure it in other jobs as you need.

• Choose the job that you want to configure the plan for.

• Add a task.

• Search for “Appdome” and select the Build2Secure task.

Step 6: Configuring Appdome’s Build2Secure task

Configure all the required parameters for your build:

Global configurations:
For the basic configurations that you need for any app, see Appendix A

Signing configurations:

For signing on Appdome (Android/iOS), see Appendix B.

For Private signing (Android/iOS), see Appendix C.

For Auto Dev signing (Android/iOS), see Appendix D.

Additional Options

Refer to Appendix E for additional options such as “Build with Logs”, “Build to Test”, etc.

An explanation of how to use Bamboo variables is explained in Appendix F.

Step 7: Defining an artifact to publish the outputs

To access the outputs from this task, it’s necessary to publish them as an artifact.

In the job configuration, go to the artifacts tab and click “Create artifact”

• A configuration pop-up will appear, where you will specify the artifact’s location.
• Set the artifacts default location to: “appdome_outputs”
• Use the copy pattern “**/**” to retrieve all of the files.

Note: If you changed the location using the Output Path described in Appendix E, put the same path here.

Step 8: Run the plugin

Execute the plugin manually by selecting “run” or set up different types of triggers for the plan, as outlined in the Triggering builds guide.

Appendices A to F provide detailed examples and configurations for various aspects of the Build2Secure plugin.

Appendix A: Global Appdome Build2Secure Inputs example

An unprotected app path can be either a path to a file located on the agent (mainly as an output from an earlier task) or a download link from the web.

Appendix B: Sign on Appdome Build2Secure Inputs example

Android

iOS

Both mobile provisioning and entitlements can be either a path to a file located on the agent (mainly as an output from an earlier task) or a download link from the web.

For multiple files, enter them comma separated, without spaces.

Appendix C: Private Signing Build2Secure Inputs example

Android

iOS

Both mobile provisioning and entitlements can be either a path to a file located on the agent (mostly as an output from an earlier task) or a download link from the web.

For multiple files, enter them comma-separated, without spaces.

Appendix D: Auto Dev Signing Build2Secure Inputs example

Android

iOS

Both mobile provisioning and entitlements can be either a path to a file located on the agent (mainly as an output from an earlier task) or a download link from the web.

For multiple files, enter them comma-separated, without spaces.

Appendix E: Extra Build2Secure Optional Inputs

Build With Logs: Check to build your app with diagnostic logs.

Second Output: Checking this will generate a universal .apk file in addition to the secure .aab app file.
Note: Not supported for Auto Dev signing.

Build To Test: Select your preferred automated testing service to build the app in test-ready mode.

Output Path: Change the path of Appdome’s outputs relative to the agent’s working directory.

(default: appdome_outputs)

Output App Name: Change the name of your output app (no extension) (default: Appdome_Secured_App)

Appendix F: Using Bamboo variables

In your plan configuration, navigate to the “Variables” tab and define the variables you need.
Some keywords can make your variable masked for protection (password/secret, etc.)

To use the variable, enter it in the input field like this: ${bamboo.myvariablename}.

Related Articles:

• How to use Appdome’s Validate-2Secure Plugin for Jenkins
• How to use Appdome Build-2Secure in TeamCity
• How to Secure Android & iOS Apps in Jenkins CI/CD pipelines

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.